Prevent Punycode phishing attack (Firefox and Chrome Vulnerability)

book

Article ID: 169416

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

This variant of a phishing attack uses Unicode to register domains that look identical to real domains. These fake domains can be used in phishing attacks to fool users into signing into a fake website, thereby handing over their login credentials to an attacker.

The xn-- prefix is what is known as an ASCII compatible encoding prefix. It lets the browser know that the domain uses punycode encoding to represent Unicode characters. In non-techie speak, this means that if you have a domain name with Chinese or other international characters, you can register a domain name with normal A-Z characters that can allow a browser to represent that domain as international characters in the location bar.

Source: Wordfence (Check "Additional Information").

Cause

Chrome 57.0.2987 and Firefox 52.0.2 vulnerabilities not solved yet.

Resolution

Workaround

The workaround to block the domains that contain Unicode characters while Chrome and Firefox solve this vulnerability is to block the request that arrives at the proxy and contains "xn --" on the GET request.

To block this GET request you can create a new rule under a Web Access Layer where destination is configured as Destination Host/Port and using Host containing xn --

CPL code to apply the previous rule:
<Proxy> 
condition=UnicodeBlocking DENY 
define condition UnicodeBlocking 
url.host.substring=xn-- 
end

Important Notes:
  • This is a temporary workaround until this vulnerability is fixed in Chrome and Firefox.
  • This workaround blocks trusted and untrusted sites.